I don't understand why these orgs didn't reply to the email address the fiance provided when she first signed up or registered for whatever it was. Or were these bricks-and-mortar orgs that wouldn't necessarily have an email address on record? (Do such orgs still exist?)
A lot of companies asked for her account login details as proof of identity, which is actually a pretty good idea, Pavur opined.
If it's a pretty good idea, it must just mean username or associated email account, not password, as that would obviously be a very bad idea indeed. Right, kids?